🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
CVE-2023-29469: Hashing of
empty dict strings isn't deterministic
CVE-2023-28484: Fix null deref
in xmlSchemaFixupComplexType
Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3,
and only if the packaged libraries are being used. If you've overridden defaults at installation
time to use system libraries instead of packaged libraries, you should instead pay attention to
your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.14.3.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these
same issues.
Impact
No public information has yet been published about the security-related issues other than the
upstream commits. Examination of those changesets indicate that the more serious issues relate to
libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.
For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.
Mitigation
Upgrade to Nokogiri >= 1.13.10.
Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.
Calling NodeSet#to_html on an empty node set no longer raises an encoding-related exception. This bug was introduced in v1.14.0 while fixing #2649. [#2784]
Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's Zip::OutputStream). This was a regression in v1.14.0 due to the fix for #752 in #2434, and was not completely fixed by #2753. [#2773]
[CRuby] Address compiler warnings about void* casting and old-style C function definitions.
JRuby 9.3, which is not fully compatible with Ruby 2.7+
Faster, more reliable installation: Native Gem for aarch64-linux (aka linux/arm64/v8)
This version of Nokogiri ships official native gem support for the aarch64-linux platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see Supported Platforms for more information.
Faster, more reliable installation: Native Gem for arm-linux (aka linux/arm/v7)
This version of Nokogiri ships experimental native gem support for the arm-linux platform. Please note that glibc >= 2.29 is required for arm-linux systems, see Supported Platforms for more information.
Pattern matching
This version introduces an experimental pattern matching API for XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses).
This version of Nokogiri uses jar-dependencies to manage most of the vendored Java dependencies. nokogiri -v now outputs maven metadata for all Java dependencies, and Nokogiri::VERSION_INFO also contains this metadata. [#2432]
HTML parsing is now provided by net.sourceforge.htmlunit:neko-htmlunit:2.61.0 (previously Nokogiri used a fork of org.cyberneko.html:nekohtml)
Vendored Jing is updated from com.thaiopensource:jing:20091111 to nu.validator:jing:20200702VNU.
New dependency on net.sf.saxon:Saxon-HE:9.6.0-4 (via nu.validator:jing:20200702VNU).
Added
Node#wrap and NodeSet#wrap now also accept a Node type argument, which will be duped for each wrapper. For cases where many nodes are being wrapped, creating a Node once using Document#create_element and passing that Node multiple times is significantly faster than re-parsing markup on each call. [#2657]
[CRuby] Invocation of custom XPath or CSS handler functions may now use the nokogiri namespace prefix. Historically, the JRuby implementation required this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the nokogiri namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. [#2147]
HTML5::Document#quirks_mode and HTML5::DocumentFragment#quirks_mode expose the quirks mode used by the parser.
Improved
Functional
HTML5 parser update to reflect changes to the living specification:
Serialization of HTML5 documents and fragments has been re-implemented and is ~10x faster than previous versions. [#2596, #2569]
Parsing of HTML5 documents is ~90% faster thanks to additional compiler optimizations being applied. [#2639]
Compare Encoding objects rather than compare their names. This is a slight performance improvement and is future-proof. [#2454] (Thanks, @casperisfine!)
Error handling
Document#canonicalize now raises an exception if inclusive_namespaces is non-nil and the mode is inclusive, i.e. XML_C14N_1_0 or XML_C14N_1_1. inclusive_namespaces can only be passed with exclusive modes, and previously this silently failed.
Empty CSS selectors now raise a clearer Nokogiri::CSS::SyntaxError message, "empty CSS selector". Previously the exception raised from the bowels of racc was "unexpected '$' after ''". [#2700]
[CRuby] XML::Reader parsing errors encountered during Reader#attribute_hash and Reader#namespaces now raise an XML::SyntaxError. Previously these methods would return nil and users would generally experience NoMethodErrors from elsewhere in the code.
Prefer ruby_xmalloc to malloc within the C extension. [#2480] (Thanks, @Garfield96!)
Installation
Avoid compile-time conflict with system-installed gumbo.h on OpenBSD. [#2464]
Remove calls to vasprintf in favor of platform-independent rb_vsprintf
Installation from source on systems missing libiconv will once again generate a helpful error message (broken since v1.11.0). [#2505]
[CRuby+OSX] Compiling from source on MacOS will use the clang option -Wno-unknown-warning-option to avoid errors when Ruby injects options that clang doesn't know about. [#2689]
Fixed
SAX::Parser's encoding attribute will not be clobbered when an alternative encoding is passed into SAX::Parser#parse_io. [#1942] (Thanks, @kp666!)
Serialized HTML4::DocumentFragment will now be properly encoded. Previously this empty string was encoded as US-ASCII. [#2649]
Node#wrap now uses the parent as the context node for parsing wrapper markup, falling back to the document for unparented nodes. Previously the document was always used.
[CRuby] UTF-16-encoded documents longer than ~4000 code points now serialize properly. Previously the serialized document was corrupted when it exceeded the length of libxml2's internal string buffer. [#752]
[CRuby] The HTML5 parser now correctly handles text at the end of form elements.
[CRuby] HTML5::Document#fragment now always uses body as the parsing context. Previously, fragments were parsed in the context of the associated document's root node, which allowed for inconsistent parsing. [#2553]
[CRuby] Nokogiri::HTML5::Document#url now correctly returns the URL passed to the constructor method. Previously it always returned nil. [#2583]
[CRuby] HTML5 encoding detection is now case-insensitive with respect to meta tag charset declaration. [#2693]
[CRuby] HTML5 fragment parsing in context of an annotation-xml node now works. Previously this rarely-used path invoked rb_funcall with incorrect parameters, resulting in an exception, a fatal error, or potentially a segfault. [#2692]
[CRuby] HTML5 quirks mode during fragment parsing more closely matches document parsing. [#2646]
[JRuby] Fixed a bug with adding the same namespace to multiple nodes via #add_namespace_definition. [#1247]
[JRuby] NodeSet#[] now raises a TypeError if passed an invalid parameter type. [#2211]
Deprecated
Nokogiri.install_default_aliases is deprecated in favor of Nokogiri::EncodingHandler.install_default_aliases. This is part of a private API and is probably not called by anybody, but we'll go through a deprecation cycle before removal anyway. [#2643, #2446]
Changed
[CRuby+OSX] Technical note: On MacOS Ruby 3.2, the symbols from libxml2 and libxslt are no longer exported. Ruby 3.2 adopted new features from the Darwin toolchain that make it challenging to continue to support this rarely-used binary API. A future minor release of Nokogiri may remove these symbols (and others) entirely. Feedback from downstream gem maintainers is welcome at #2746, where you'll also be able to read deeper context on this decision.
Thank you!
The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.14.0:
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
7 months ago
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.13.9 → 1.14.3) · Repo · Changelog
Security Advisories 🚨
🚨 Update packaged libxml2 to v2.10.4 to resolve multiple CVEs
🚨 Unchecked return value from xmlTextReaderExpand
Release Notes
1.14.2
1.14.1
1.14.0
1.13.10
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mini_portile2 (indirect, 2.8.0 → 2.8.1) · Repo · Changelog
Release Notes
2.8.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
version bump to v2.8.1Merge pull request #122 from flavorjones/119-improve-patchingfix: handle patching in dirs that resemble an actual git dirMerge pull request #121 from flavorjones/flavorjones-exercise-patching-in-examplestest: `rake test:examples` now exercises patchingMerge pull request #117 from flavorjones/flavorjones-loosen-bundler-dependencydep(dev): loosen bundler dependency↗️ racc (indirect, 1.6.0 → 1.6.2) · Repo · Changelog
Release Notes
1.6.2
1.6.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 50 commits:
Bump version to 1.6.2Merge pull request #205 from ruby/racc-versionRemoved Original ID constant from Java implBump up Racc parser versionAlways issue deprecation warning when calling Regexp.new with 3rd positional argumentMerge pull request #203 from jwillemsen/patch-3Merge pull request #204 from jwillemsen/patch-4Removed old Id tagRemoved old originalId in commentMerge pull request #200 from jwillemsen/patch-3Fixed typo in racc.en.rhtmlBump version to 1.6.1Merge pull request #198 from ruby/flavorjones-update-ci-pipeline-20221123ci: update jruby versions and add trufflerubyMerge pull request #197 from jwillemsen/patch-3Update racc.gemspecMerge pull request #196 from jwillemsen/patch-3Update README.rdocMerge pull request #195 from jwillemsen/patch-3Update racc.en.rhtmlMerge pull request #194 from enebo/jruby_racc_findMerge pull request #193 from okuramasafumi/patch-1Make racc test more flexible (for JRuby).Fix documentation directory name in READMEMerge pull request #191 from nobu/fix-regexp-optionFix flag to `Regexp.new`Merge pull request #189 from nobu/strip-trailing-spacesStrip trailing whitespaces [ci skip]Show diffsStrip trailing whitespaces at the last line of actionsMerge pull request #188 from nobu/nodoc-parseerror[DOC] Remove stale `Object::ParseError` documentationMerge pull request #187 from ruby/dependabot/github_actions/actions/checkout-3Bump actions/checkout from 2 to 3Merge pull request #186 from ruby/add-dependabotAdded dependabotMerge pull request #184 from simi/patch-1Fix typo in sample/calc.y.ci: fix name of default branchMerge pull request #181 from ruby/flavorjones-update-ci-with-ruby31ci: update to cover Ruby 3.1Merge pull request #180 from k0kubun/rubyvm-mjits/RubyVM::JIT/RubyVM::MJIT/gMerge pull request #179 from jwillemsen/patch-3Update README.rdocMerge pull request #178 from nobu/fix-namesFix a private method nameFix typo in a local variable nameMerge pull request #173 from ruby/ci-use-cache-add-jruby93CI: Add JRuby 9.3, use bundler-cacheDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands